From: David Ahern <dsahern@kernel.org>
To: Ido Schimmel <idosch@nvidia.com>, netdev@vger.kernel.org
Cc: davem@davemloft.net, kuba@kernel.org, pabeni@redhat.com,
edumazet@google.com, horms@kernel.org, hanhuihui5@huawei.com
Subject: Re: [PATCH net 1/2] net: fib_rules: Fix iif / oif matching on L3 master device
Date: Tue, 15 Apr 2025 08:40:11 -0700 [thread overview]
Message-ID: <5667bed7-3b22-484e-8e31-9abb8029caee@kernel.org> (raw)
In-Reply-To: <20250414172022.242991-2-idosch@nvidia.com>
On 4/14/25 11:20 AM, Ido Schimmel wrote:
> Before commit 40867d74c374 ("net: Add l3mdev index to flow struct and
> avoid oif reset for port devices") it was possible to use FIB rules to
> match on a L3 domain. This was done by having a FIB rule match on iif /
> oif being a L3 master device. It worked because prior to the FIB rule
> lookup the iif / oif fields in the flow structure were reset to the
> index of the L3 master device to which the input / output device was
> enslaved to.
>
> The above scheme made it impossible to match on the original input /
> output device. Therefore, cited commit stopped overwriting the iif / oif
> fields in the flow structure and instead stored the index of the
> enslaving L3 master device in a new field ('flowi_l3mdev') in the flow
> structure.
>
> While the change enabled new use cases, it broke the original use case
> of matching on a L3 domain. Fix this by interpreting the iif / oif
> matching on a L3 master device as a match against the L3 domain. In
> other words, if the iif / oif in the FIB rule points to a L3 master
> device, compare the provided index against 'flowi_l3mdev' rather than
> 'flowi_{i,o}if'.
>
> Before cited commit, a FIB rule that matched on 'iif vrf1' would only
> match incoming traffic from devices enslaved to 'vrf1'. With the
> proposed change (i.e., comparing against 'flowi_l3mdev'), the rule would
> also match traffic originating from a socket bound to 'vrf1'. Avoid that
> by adding a new flow flag ('FLOWI_FLAG_L3MDEV_OIF') that indicates if
> the L3 domain was derived from the output interface or the input
> interface (when not set) and take this flag into account when evaluating
> the FIB rule against the flow structure.
>
> Avoid unnecessary checks in the data path by detecting that a rule
> matches on a L3 master device when the rule is installed and marking it
> as such.
>
> Tested using the following script [1].
>
> Output before 40867d74c374 (v5.4.291):
>
> default dev dummy1 table 100 scope link
> default dev dummy1 table 200 scope link
>
> Output after 40867d74c374:
>
> default dev dummy1 table 300 scope link
> default dev dummy1 table 300 scope link
>
> Output with this patch:
>
> default dev dummy1 table 100 scope link
> default dev dummy1 table 200 scope link
>
> [1]
> #!/bin/bash
>
> ip link add name vrf1 up type vrf table 10
> ip link add name dummy1 up master vrf1 type dummy
>
> sysctl -wq net.ipv4.conf.all.forwarding=1
> sysctl -wq net.ipv4.conf.all.rp_filter=0
>
> ip route add table 100 default dev dummy1
> ip route add table 200 default dev dummy1
> ip route add table 300 default dev dummy1
>
> ip rule add prio 0 oif vrf1 table 100
> ip rule add prio 1 iif vrf1 table 200
> ip rule add prio 2 table 300
>
> ip route get 192.0.2.1 oif dummy1 fibmatch
> ip route get 192.0.2.1 iif dummy1 from 198.51.100.1 fibmatch
>
> Fixes: 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif reset for port devices")
> Reported-by: hanhuihui <hanhuihui5@huawei.com>
> Closes: https://lore.kernel.org/netdev/ec671c4f821a4d63904d0da15d604b75@huawei.com/
> Signed-off-by: Ido Schimmel <idosch@nvidia.com>
> ---
> include/net/fib_rules.h | 2 ++
> include/net/flow.h | 1 +
> include/net/l3mdev.h | 27 +++++++++++++++++++++++
> net/core/fib_rules.c | 48 ++++++++++++++++++++++++++++++++++-------
> net/l3mdev/l3mdev.c | 4 +++-
> 5 files changed, 73 insertions(+), 9 deletions(-)
>
Acked-by: David Ahern <dsahern@kernel.org>
next prev parent reply other threads:[~2025-04-15 15:40 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-14 17:20 [PATCH net 0/2] fib_rules: Fix iif / oif matching on L3 master device Ido Schimmel
2025-04-14 17:20 ` [PATCH net 1/2] net: " Ido Schimmel
2025-04-15 15:40 ` David Ahern [this message]
2025-04-14 17:20 ` [PATCH net 2/2] selftests: fib_rule_tests: Add VRF match tests Ido Schimmel
2025-04-15 15:40 ` David Ahern
2025-04-16 3:10 ` [PATCH net 0/2] fib_rules: Fix iif / oif matching on L3 master device patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5667bed7-3b22-484e-8e31-9abb8029caee@kernel.org \
--to=dsahern@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hanhuihui5@huawei.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).